Delivering a FedRAMP or 800-171 compliant cloud solution on AWS

Contractors providing technical support services for DOD and US Federal Agencies are required to provide FedRAMP compliant cloud solutions that comply with NIST SP 800-171 or NIST SP 800-53 depending on whether the system is used internally or operated on behalf of a government customer. AWS provides FedRAMP Moderate and FedRAMP High accredited cloud services within the US East/West or AWS GovCloud regions respectively. That is a great start but more is required!

1. Creating a compliant application and data architecture that meets FedRAMP controls based on the Shared Responsibility Model

2. Conducting a Security Assessment and Authorization (SA&A) activity to prepare the documentation that captures the security architecture, contingency plans and other IT management best practices and A Plan of Actions and Milestones (POAM) to indicate when the backlog of security and operational issues will be resolved; and

3. Continuous Monitoring and Management plan that ensures that vulnerabilities are managed and the system is monitored for anomalies and breaches can be detected.

We at stackArmor call this “Security by Design“. Please visit our Security MicroSummit page to learn more.

1. Develop A Compliant Architecture
A compliant cloud architecture must take into consideration security best practices and ensure that all of the components above the operating system are protected. Typically, this requires setting up and configuring networking, firewall, security groups, subnets and creation of hardened instances.

As part of the initial build phase the following activities need to be performed:
a) Setup and configure FedRAMP Moderate or High compliant AWS VPC, define security groups, establish VPN connectivity and spin-up instances in support of the workload.
b) Install client-provided software components including application servers, database servers and assist with configuration.
c) Provide centralized authentication, authorization and access control for privileged user access management in compliance with  FedRAMP/FISMA Security Policies.
d) Support application configuration and data migration activities including activities around installation of the software application, configuring the web server and database servers and associated application and data services.
e) Configure and operationalize backup and recovery methods using AMI snapshots to S3 and setup CloudWatch alerts for system performance and management.

Additional features of a compliant architecture include compliance with specific control families as specified by NIST SP 800-53 or NIST SP 800-171 as described below.

Boundary Protection with Web Application Firewall: All traffic to the website including registered users, anonymous and administrative traffic will be controlled by security groups and a Web Application Firewall (WAF) based Application Load Balancer (ALB). The web application(s) and the data will be segregated through private subnets. The state-of-the-art firewall layer will protect the security and integrity of the application and to prevent malicious traffic at the Web Application (Layer 7) level such as SQL injection, cross-site scripting attacks etc.

Network Segmentation and Separation of Servers & Data: Three separate enclaves for Production, Test and Dev will be provisioned within the AWS VPC to ensure maximum security and segregation through subnets and security groups (firewalls).

Network and Access Management: All access to the environment shall be through secure means including the use of centralized authentication and access management using LDAP, Bastion and SSH based access to servers for administrators and developers.

Database Encryption: The data shall be protected at Rest and in Motion using SSL/TLS protocols for communication over the internet. All data at rest shall be encrypted using AES-256 in the EBS volumes and S3 buckets including archival and staging data.

Logging and Monitoring: In compliance with FedRAMP/FISMA security requirements for continuous monitoring and compliance, CloudWatch, Config, CloudTrail are cloud-native services for tracking activity, configuration changes and access control/tracking for any changes within the AWS VPC configured for the application.

System Hardening and Compliance with Best Practices: The hosted environment should be hardened and configured based on industry best practices such as CIS (Center for Internet Security), DISA STIG or similar benchmarks.

Vulnerability Management and SCAP compliance scanning: AWS provider native services such as AWS Inspector for SCAP compliance scanning, and patching is performed using EC2 Systems Manager. The environment will be patched and scanned for vulnerabilities on a monthly basis.

2. Conduct A Security Assessment and Authorization (SA&A)
Collect all relevant templates for a FedRAMP, FISMA or 800-171 SA&A Process and gather all related documentation related to the system and the applicable policies. Typically the following documents and work products need to be produced.

System Security Plan (SSP): The SSP is a template that provides the framework to capture the system environment, system responsibilities, and the current status of the implemented baseline controls required for the system.

Security Assessment Plan/Report (SAP/SAR): The SAP/SAR Template is intended for independent security assessment testing. Once completed, this template constitutes as a plan for testing security controls.

POA&M: The POA&M provides a structured framework for aggregating system vulnerabilities and deficiencies through security assessment and continuous monitoring efforts. This artifact is a tracking tool for risk mitigation in accordance with security and risk priorities.

Contingency Plan and Contingency Plan Test: Contingency and risk planning artifact for conducting DR scenarios, and providing adequate information on incident response. The Contingency Plan provides methods and controls for ensuring continuity of service and system resilience in the face of an incident or disaster.

Independent Assessment Report: Conduct an independent vulnerability and penetration scan to ensure that the systems are not obviously vulnerable to well known attacks.

3. Perform Continuous Monitoring and Management 
Delivering a FedRAMP or NIST SP 800-171 compliant system requires periodic performance of specific security and operational activities. stackArmor provides cloud managed services to help organizations ensure the operational integrity of their systems hosted in the AWS environment. The table shows a sample of common activities that must be performed and their frequency.

1 Monthly Patching and Vulnerability Management. A sample vulnerability report is shown below. Monthly Use a SCAP compliant scanner
2 Backup and Recovery Services setup and Management Daily Configured and monitoring using AWS policies and automation
3 Continuous Monitoring and Security Logs Review. A sample continuous monitoring report is shown below. Monthly Review operational logs and provide a continuous monitoring report
4 Security Review and Reporting. A sample security review report is shown below. Monthly Using stackArmor ThreatAlert to detect and report on common misconfigurations
5 Technical Support as needed to assist with resolving access or infrastructure issues As Needed With an up to 8 hours SLA

Every agency or customer requires evidence in the form of reports to be produced related to the various Management, Maintenance and Continuous Monitoring activities.

Monthly Continuous Monitoring Report: A periodic report is prepared to provide a summary of the management and monitoring activities performed on the system. Typically, this report is called the Monthly Continuous Monitoring Report (ConMon) which is a customized presentation of key events of interest in the environment. This report is prepared using aggregation of logs from various sources including the firewall, logins to the AWS environment and the activity within the environment, Typically, the report is prepared using AWS Config, AWS CloudTrail and AWS CloudWatch data sources.

Some of the elements of the Continuous Management and Monitoring activities are described through samples below.

Sample Internal Vulnerability Scanner ReportEnsuring the integrity of the system requires the identification of vulnerabilities in the system. A SCAP compliant vulnerability scanner produces a report similar to the table shown below. This report helps identify High, Medium or Low vulnerabilities that must be remediated.

ID CVE CVSS Risk Host Protocol Port Name Synopsis
99316 CVE-2016-7910 9.3 High tcp 0 CentOS 6 : kernel (CESA-2017:0892) The remote CentOS host is missing one or more security updates.
99316 CVE-2017-2636 9.3 High tcp 0 CentOS 6 : kernel (CESA-2017:0892) The remote CentOS host is missing one or more security updates.
99536 CVE-2017-5461 7.5 High tcp 0 CentOS 6 / 7 : nss / nss-util (CESA-2017:1100) The remote CentOS host is missing one or more security updates.
100555 CVE-2017-7502 5 Medium tcp 0 CentOS 6 : nss (CESA-2017:1364) The remote CentOS host is missing one or more security updates.
100557 CVE-2017-6214 5 Medium tcp 0 CentOS 6 : kernel (CESA-2017:1372) The remote CentOS host is missing one or more security updates.
100558 CVE-2017-1000367 6.9 Medium tcp 0 CentOS 6 / 7 : sudo (CESA-2017:1382) The remote CentOS host is missing one or more security updates.

Given the complexity of most enterprise systems with multiple layers, a “full-stack” approach to vulnerability scanning and monitoring is important.

Sample stackArmor ThreatAlert Security Review Report: stackArmor’s ThreatAlert service helps identify common misconfigurations in commonly used AWS services such as IAM, RDS, S3, Security Groups to ensure that best practices are followed. The table below shows an output from the scan to help detect and remediate misconfigurations.

Component Issue Score Issue Category Notes/Comment
securitygroup office-web (sg-dxxx in vpc-09xxxxa6d) 10 Unknown Access Entity: [cidr:] Access: [ingress:tcp:443]
s3 xxxxx-prod-s3-backup-us-east 10 Unknown Access Entity: [ACL:bxxxxxxxxxxdd8cda9ee47] Actions: [“FULL_CONTROL”]
Policy AdministratorAccess 10 Managed Policy has full admin privileges. {“Action”: “*”, “Resource”: “*”, “Effect”: “Allow”}
Cloudtrail xxxxx-ca-central 10 POLICY – CloudTrail is not enabled for multi-region None

Are you a federal contractor trying to meet 800-171 compliance deadlines or trying to deliver a FedRAMP compliant service? Contact us and schedule a free consultation to see if stackArmor can help you save money and time as well as costly mistakes!